EU GOVERNANCE IN

INTELLIGENCE
MASSIVE OPEN ONLINE COURSE (MOOC)
Project N. 2023-1-IT02-KA220-HED-000161770
ANALYST - A New Advanced Level for Your Specialised Training
UNIT 4: CYBERSECURITY AND
DIGITAL INTELLIGENCE IN THE EU

Table of contents
Unit Overview
Part 1: The Digital Transformation of Intelligence
This unit looks at how the EU gathers and uses digital The evolution of cyber intelligence and digital
security strategies.
intelligence to fight cyber threats, misinformation, and
The role of intelligence in detecting and
protect online spaces. preventing cyber threats.
Part 2: EU Cybersecurity Policies and Frameworks
Overview of the NIS Directive, GDPR, and
Learning Outcomes
Digital Services Act.
The role of ENISA (European Union Agency for
After this unit, learners will be able to:
Cybersecurity).
Understand the impact of digital transformation on
Part 3: Cyber Threat Intelligence (CTI) in the EU
intelligence.
Intelligence techniques used to track
Identify major EU cybersecurity frameworks (NIS cybercriminal networks.
Directive, GDPR, DSA). Case study: EU response to large-scale
Explain ENISA’s role in cybersecurity coordination. cyberattacks.
Describe how cyber threat intelligence (CTI) supports Part 4: Countering Disinformation and Hybrid
EU defenses. Threats
Analyze intelligence strategies against disinformation Intelligence responses to digital propaganda
and hybrid threats. and state-sponsored cyber operations.
Tools used to combat misinformation within EU
member states.
The Digital Transformation of Intelligence

What is Cyber Intelligence?

Cyber intelligence refers to the collection and analysis of data from digital environments to
detect and respond to threats. It is used by governments, companies, and EU agencies to
anticipate attacks, understand threat actors, and protect key assets. This intelligence goes
beyond raw data - it includes understanding motivations, timing, and impact, often with the
support of machine learning or behavioural analytics.
In the EU context, cyber intelligence is central to risk assessments and policy planning across
sectors such as energy, transport, health, and defence.

For more information on Cyber Threats, visit the website of the European
Union Agency for Cybersecurity
The Digital Transformation of Intelligence

From Traditional Intelligence to Digital Intelligence

Traditional intelligence relied on human sources and physical surveillance

Digital intelligence uses data from networks, devices, and online platforms

Analysts now combine both types to understand complex threats

Automation and AI have increased the scale and speed of threat detection

EU security strategy relies on digital tools to monitor cybercrime and hybrid threats
The Digital Transformation of Intelligence

How Intelligence Prevents Cyber Threats

As cyber threats become more sophisticated, the ability to detect early signals is critical.
Digital intelligence helps by identifying vulnerabilities before they are exploited.

Prevention in practice includes:

Flagging anomalies like repeated login failures or unexpected traffic
Using threat intelligence feeds to spot known malware
Coordinating with EU agencies to share risk alerts across borders
Responding faster than attackers can move
EU Cybersecurity Policies and Frameworks

NIS Directive – Focus on Threat Preparedness

The NIS2 Directive is not just policy — it shapes how intelligence is used in real time.
Key intelligence-related impacts:
Requires operators (like energy grids and transport hubs) to report incidents
within 24 hours
Improves early warning systems between member states
Promotes real-time risk analysis and information exchange
New in NIS2:
Coverage extends to public administrations, space, and food sectors
Sets minimum requirements for incident response capabilities
EU Cybersecurity Policies and Frameworks

GDPR in Digital Intelligence – Rights vs. Risks

GDPR protects personal data but what happens when that data becomes part of an
investigation?
What intelligence professionals must balance:
Profiling: Only allowed under strict conditions — affects use of automated threat
detection
Anonymisation: Raw data must be stripped of identifiers when used in training AI models
Purpose limitation: Intelligence can’t be reused for unrelated investigations
Practical example: A cybersecurity platform can flag suspicious behaviour, but sharing
personal info with law enforcement still needs a legal basis.
For details check the EDPB Website
EU Cybersecurity Policies and Frameworks

The Role of the European Union Agency for Cybersecurity - ENISA

ENISA is the EU’s cybersecurity agency, based in Athens. It serves as a central point for
expertise, training, and incident coordination. ENISA supports both national governments
and EU institutions in preparing for and responding to cyber threats. Its annual Threat
Landscape Report is a key source for analysts across Europe.
ENISA also runs large-scale exercises like Cyber Europe, where simulated attacks test the
resilience of national systems.

For more on ENISA’s cybersecurity role, training, and EU-wide

coordination, visit: www.enisa.europa.eu
Cyber Threat Intelligence in the EU

What is Cyber Threat Intelligence (CTI)?

Cyber Threat Intelligence (CTI) provides structured insights into cyber threats at different
levels, helping organisations detect, understand, and respond to attacks more effectively.

Strategic CTI Trends and big-picture threats for senior decision-makers

Operational CTI Technical patterns and context around specific threats

Tactical CTI Detailed indicators like malware hashes or phishing domains

CTI Feeds Automated streams from trusted providers (e.g. CERT-EU, ENISA)

Purpose Enables preemptive action and more targeted defences

Cyber Threat Intelligence in the EU

CTI in Action – Tracking Threats

A practical CTI workflow might begin with collecting data from honeypots, threat
reports, or leaked criminal chat logs.
Analysts match that data with recent activity seen on EU networks. They may identify a
phishing campaign targeting hospitals, for example. With this information, they notify
other EU countries through platforms like SIENA.

The entire cycle - from collection to response - can take just hours when coordination
works well.
EU Cybersecurity Policies and Frameworks

Case Study – EU Response to SolarWinds Hack

The 2020 SolarWinds hack was a significant supply chain attack compromising the Orion
software platform. While primarily impacting US entities, some EU-based organizations were
indirectly affected. The incident underscored vulnerabilities in global IT supply chains.
The EU response included:
Strengthening supply chain cybersecurity guidance
Enhancing coordination among EU CSIRTs
Expanding cross-sector threat intelligence sharing

Read more about the SolarWinds incident and other major supply chain
attacks in ENISA’s Threat Landscape for Supply Chain Attacks report
Countering Disinformation and Hybrid Threats

Understanding Hybrid Threats

Hybrid threats blend different tactics to destabilize societies without open conflict.
• Combine cyberattacks, disinformation, and political manipulation
• Commonly used by states or groups acting on their behalf
• Target trust in institutions, critical infrastructure, and democratic processes
• Often hard to trace or respond to under current laws and systems
• Seen in election interference, vaccine misinformation, and fake advocacy groups

Read more about how NATO defines and responds to hybrid threats:
Countering hybrid threats
Countering Disinformation and Hybrid Threats

Tools to Counter Disinformation

The EU uses several tools to counter disinformation, including fact-checking platforms, AI-
driven monitoring systems, and a rapid alert network for emerging threats. One of the best-
known efforts is EUvsDisinfo, which tracks and exposes state-backed narratives through
public reporting.
The European Digital Media Observatory (EDMO) supports a network of national fact-
checking hubs and research centers across member states. The Rapid Alert System enables
swift coordination between EU institutions and countries in response to disinformation
threats. Other initiatives help detect coordinated campaigns involving bots and trolls. These
efforts are designed to promote transparency while upholding legal protections for free
expression.
Countering Disinformation and Hybrid Threats

Intelligence vs Disinformation - A Comparison

This table compares how intelligence gathering and disinformation campaigns operate:

Focus Intelligence Disinformation

Area Gathering Campaigns
Goal Understand and respond to threats Influence or manipulate public opinion

Tools Data analysis, threat modelling Fake news, deepfakes, fake accounts

Source State agencies, experts Often state-linked or criminal

Detection Legal and technical coordination Harder due to rapid spread and design

Risk Data misuse or overreach Societal division and mistrust

Intelligence in EU Security Policy
HOW THE EU FIGHTS HYBRID THREATS
Hybrid threats are increasingly used to exploit the vulnerabilities of open societies without
triggering traditional military responses. Understanding how to build resilience against these
tactics is essential for European security.
Watch this video where Dr. Teija
Tiilikainen, Director of the Hybrid CoE,
highlights how hybrid threats evolve, the
tools used to counter them, and why
coordinated action between states and
societies is key to defending democracy.
Unit 4: Activity

Scenario:
Imagine you are advising the EU Commission’s crisis unit. A major disinformation
campaign has spread false claims about a new health crisis and is trending across
multiple platforms.

Your task: Write a short plan (5–7 points) outlining how digital intelligence could
help respond.
Consider:
What data would you collect first?
Which agencies would you coordinate with?
How would you verify sources?
What platforms might be targeted?
How would you counter the campaign publicly?
Unit 4: Self-Assessment

What is one key function of ENISA?

A) Launching police investigations
B) Monitoring private social media use
C) Coordinating EU-wide cybersecurity training
D) Overseeing national laws on privacy

What is the EUvsDisinfo project primarily designed to do?

A) Monitor cybersecurity vulnerabilities in critical infrastructure
B) Detect and analyse online propaganda and disinformation
C) Develop AI-based surveillance systems
D) Regulate encryption software for law enforcement
 THANK YOU FOR
YOUR ATTENTION
MASSIVE OPEN ONLINE COURSE (MOOC)
Project N. 2023-1-IT02-KA220-HED-000161770
ANALYST - A New Advanced Level for Your Specialised Training